To mitigate CVE-2020-11986 NetBeans requests a user consent to analyze a Gradle projects (e.g. to execute build.gradle
and let it do any malicious actions). Projects are opened as "broken" and report a problem to "Run priming build". The frequency of such queries is slightly too high and it is a desire of this write up to eliminate some of the consent queries without compromising solution to CVE-2020-11986.
Action | Always ask for consent? |
---|---|
User creates new project in the IDE | Never |
User opens a single file in editor (which belongs to not opened project) | Yes, show a bubble with request for consent |
User browses disk via File / Open Project | Don't ask, don't trust until opened |
User explicitly opens a project via File / Open Project | No |
User opens a single file in a subproject of an opened (trusted) master project | No, all subprojects are trusted |
User closes a trusted project and reopens it | No, trust is forever(?) |
When a single file is being edited, shall the IDE encourage the user to open/trust and analyze the project it belongs in, if any? How? A bubble message in a corner with a link?
3 Comments
Laszlo Kishalmi
Well, opening a single file in an editor shall be allowed without trusting anything. That action does not result uncontrolled out-of-IDE execution. Also I as a user, would like to peek into the Gradle build scripts, before trusting them.
Jaroslav Tulach
OK, but opening a `.java` without having a proper classpath isn't very user friend. Can we ask the user for consent in some gentle (notification with a link) way?
Neil C Smith
NB. CVE-2020-11986 was in response to a report specifically about user explicitly opening a project via File / Open Project, so that situation has to be ask for consent too, at least until the user overrides that default.